Re: W2k Default User and Administrator

T-Boy wrote
> This isn't "your" network"

yeah ok I'll give you that.

> - as said, *most* small business
> networks are setup so that each local user "owns" their PC -
> and can install s/w onto them without having to see an
> administrator (most small business setups don't *have* a
> dedicated network administrator).

I realise that there would not be a dedicated administrator, but
still, I would hardly rate a school as a small business(in network
terms) as kids will destroy anything, all they would need is a logged
in machine, and they could trash it if that user had admin rights on
that machine.

Also, as they are running AD they have a domain controller, so are
running a server OS, which I would assume they would have some "sort
of administrator" that does tech work for them(most likely Matthew
Strickland?)

> The PC is totally safe as setup like this, the local user has a
> machine that only they can change (no other user will have
> local rights).

The PC is entirely not safe like this.
If anyone has admin rights, they can essencially destroy the PC.

> On large networks, sure; roaming profiles, lockdown desktops
> and workstations are the way to go.

yeah sure...

> And sure this may well
> apply to small networks too, operating in a corporate
> environment under a larger business umbrella where the setup is
> dictated.

Well dictated is rather strong language, but I guess it is true

> But it'll be a fair bit dearer to admin...

yes and no.
Dearer for some things, but if users cant break things, there is less
admin work.

> user
> wants something, phone the helpdesk

Doesn't need to be a helpdesk, this is only a school... maybe user
emails "sudo admin"

> fill in a request for
> change

no need, email is all that is required. maybe add something like a
cost code to each teacher so that requests have some sort of ID on
them - digital signature - you can get them free now for non
commercial use(I assume that schools are non-commercial)

> goes through change management process (might take a
> week - chit, might only have change management meetings once a
> week), decision is made, change is implemented or isn't.

no need, all that is required is the above method.
I know it works as I have seen it running.

> Most small busines's do *not* operate like that - nor do they
> wish to. Local PC autonomy is typical and recommended even by
> operating system makers such as Microsoft.

yeah, but running an smtp server that accepts any requests was also
recommended by MS until a couple of years back.

> (Check out an SBS
> workstation setup - as recommended by Microsoft). This does
> not mean (BTW) that desktops can not be further locked down,
> nor does it stop group policy implemnented workstation
> lockdown.

Dont have the time or inclination to check it out.

T.N.O.

Matthew Strickland wrote:
> NTFS, and you use a complex local admin password. (I have had cases of users
> hacking NTFS partitions, deleting sam or decoding sam files and gaining
> local admin access)...

you could always rename the local admin account to something stupid that
no-one would guess, then make another account with the username
"administrator" and only having guest rights... that would do it
wouldn't it?

Yes it sure would, its been a suggestion before

Thanks anyway guys, ill tackle it all next week. At least its holidays!

Matt

"T.N.O." <> wrote in message
news:...
> Matthew Strickland wrote:
> > NTFS, and you use a complex local admin password. (I have had cases of
users
> > hacking NTFS partitions, deleting sam or decoding sam files and gaining
> > local admin access)...
>
> you could always rename the local admin account to something stupid that
> no-one would guess, then make another account with the username
> "administrator" and only having guest rights... that would do it
> wouldn't it?
>